Fresh Phish. (So Many Puns, So Little Time.)

Today’s phish blog breaks our format a bit so we can bring you lots of examples. Enjoy. And then get protected!

Phishing is prevalent because it works. Even savvy users can be tricked into opening the wrong emails.

I’ve seen a couple of clear examples of this recently. The first is one that quite convincingly mimics the invoice emails from a fairly significant UK web hosting provider:

A PDF file was attached to the email. When the PDF was opened it asked the user to allow an embedded Word document to open. So, the user had another chance to do the right thing…

But of course, they didn’t. They allowed the file to run…

… and without Bromium protection, they would have been pwned.

Now, I know you’re thinking: “I’ve trained my users. They’re too smart to open a file like this.” And you may be right (but probably not).

But then have a look at this example of a phishing email that one of our employees recently received:

As you can see, this one is quite targeted. I’ve obscured his correct home address that was part of the email.

The Word document attached was a .dot (template) file, and the file name was the recipient’s surname. When the user opened the attachment it prompted for the password that was provided in the phishing email:

It then ran a macro to conduct its nefarious business…

So would your users open an attachment in an email sent to them with their correct home address, when the file name was also their surname? Hmm…

Thankfully, the recipients of the two emails I’ve discussed in this blog are Bromium users. They opened the emails, the malware ran, it was isolated, and nothing bad happened to them. They could just carry on with their working day. At the same time, their security teams received rich data about the modus operandi of the malware – which they could use to improve their defense-in-depth, or perhaps choose to share with others so they could get the benefit of this intelligence.

For example, below are a couple of snippets of the Threat Report from the first PDF above. If you have any questions about this, please contact us (ask for Fraser!). I’d love to show you a demo.